Add users to the search head cluster
In a search head cluster, all cluster members should maintain the same set of users, with the same set of roles.
To add users to the search head cluster, you can use any of the available authentication methods: Splunk Enterprise built-in authentication, LDAP, SAML, or scripted authentication. See the chapters on authentication in the Securing Splunk Enterprise manual for details.
The cluster automatically synchronizes user configurations across the set of members, in most cases. It uses configuration replication to do this. See "Configuration updates that the cluster replicates."
Use Splunk Enterprise built-in authentication
For Splunk Enterprise built-in authentication, you can use Splunk Web or the CLI to add users and map roles. Perform the operation on any one of the cluster members. The cluster then automatically distributes the changes to all members by replicating the $SPLUNK_HOME/etc/passwd file.
Authentication restrictions
Search head clustering does have a few restrictions regarding how you configure authentication:
- The cluster replicates the configuration changes automatically only if you configure authentication through Splunk Web, the Splunk CLI, or REST endpoints. If, instead, you edit a configuration file directly, you must use the deployer to distribute the file to the cluster members.
- Even when you configure authentication through Splunk Web, the CLI, or REST endpoints, the cluster only replicates the underlying configuration files, plus the
$SPLUNK_HOME/etc/passwdfile in the case of built-in authentication. If the authentication method that you are employing requires any other associated, non-configuration files, you must use the deployer to distribute them to the cluster members. For example:
- For SAML, you must use the deployer to push the certificates.
- For scripted authentication, you must use the deployer to push the script. You must also use the deployer to push
authentication.conf, because you can only configure scripted authentication by editingauthentication.confdirectly.
- For scripted authentication, you must use the deployer to push the script. You must also use the deployer to push
How to use the deployer to push authentication files
To push arbitrary groups of files, such as SAML certificates, from the deployer, you create an app directory specifically to contain those files.
For details on how to use the deployer to push files, see "Use the deployer to distribute apps and configuration updates."
| Connect the search heads in clusters to search peers | Use a load balancer with search head clustering |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Download manual
Feedback submitted, thanks!